Introduction

This survey was conducted by LawInSport and received over 200 responses from sports organisations, government agencies and professional services firms from across Europe. The survey was published on LawInSport.com and distributed to LawInSport’s network. The survey was sponsored by MyDailyGDPR.

The results of the survey demonstrate that there is an urgent need for more awareness, training and support necessary across Europe to prepare sports organisations for the introduction of the EU’s General Data Protection Regulation (“GDPR”) which comes into force in 25th May 2018. This piece of legalisation has been described as “the most important change in data privacy regulation in 20 years” and "replaces the Data Protection Directive 95/46/EC and was designed to harmonise data privacy laws across Europe, to protect and empower all EU citizens data privacy and to reshape the way organisations across the region approach data privacy.”1

It can be easily overlooked that the GDPR applies to organisations outside of the EU who are capturing and processing the data of EU citizens. It is notable that a number of the sports organisations outside of the EU highlighted their concerns about how to approach the processing of EU citizen data. In particular, the lack of information and general awareness was highlighted as an issue here.

Key Findings

Implications of the GDPR

84% of sports organisations were not fully aware of the implications of the GDPR for their organisation. This is surprising given the coverage the GDPR has received and its goal to create data privacy protection transparency as a right of each EU citizen. There remains a significant of amount of work to be done to educate and assist sports organisation in advance of the GDPR coming into force in May 2018. Regardless of the GDPR, it will serve sports organisations well to fully understand the data they hold and to have clarity over what they can and cannot do with it, as consented to by individuals.

Fines & Personal Data of Minors

40% of sports organisations were not aware that non-compliance can result in fines as much as 4% of annual turnover or €20m, whichever is higher. 63% of professional advisors said their clients were not aware that that the GDPR applies to all enterprises that process EU citizens' personal data, including data for children under 16 years old. This is concerning given the importance of the protection of minors, with parental consent necessary in order to process children’s data, and the severity of fines for non-compliance and data breaches.

Data Sources

42% of sports organisations find it difficult to manage compliance for multiple data sources (incl. social media, internally and 3rd party hosted). This is representative of survey respondents requests for data mapping, records management, and consent solutions.

Legal & IT/Tech Teams Involvement

Only 23% of sports organisations said that neither their IT/tech or legal teams were involved in the compliance of GDPR. This is concerning given the need to understand both the legal and practical application of the GDPR and domestic data protections laws. This may be indicative of the fact that many sports organisation have not conducted a data audit and are unclear about the requirements they must meet.

Business Buy-In

43% of sports organisations did not feel their business was supportive in being compliant with GDPR. There appears to be a need for sports organisations to take ownership over their data protection policies and procedures and provide the necessary resources and support to help those working on data protection matters within their organisations, such as their legal teams, to ensure they are compliant with the GDPR and other data protection laws.

Data Protection Officers

80% of sports organisations said they did not have an appointed Data Protection Officer (DPO). This is concerning and indicates a lack of designation of responsibility with organisation with regards to data protection. Those organisation that are mandated for to have a DPO should to be mindful of the issues around conflicts: and they must inspect the usage of existing employee designated as a DPO as someone not already processing company data.2

Automation for Compliance

75% of sports organisations had not explored using technology to automate or outsource the DPO function to help monitor regulations and manage compliance. This was echoed by 79% of professional advisors. The lack of awareness of the implications of the GDPR shows there is a need for greater education around GDPR and general data protection regulations. Given the increasing reliance by sports organisation on capturing and processing personal data combined with the concerns over the time consuming nature of monitoring compliance, it is likely many organisations will be exploring the use of technology and automation in the coming months to assist them.

The biggest challenge sports organisations face to be compliant with the GDPR

From the responses to survey we have identified five key areas of concern and, understandably, areas that sports organisations require most help:

How To Help

“Greater clarity and guidance produced by the ICO - lacking at the moment.” [UK specific]

“Inform about penalties.”

“Information and assistance from a trusted adviser”

“The implementation when specialist resources are not available.”

3. Data Management & consent to process personal data

Concerns

“Assessing what data we hold.”

“Gaining consent to process data – including gaining consent from all individuals and parents/guardians of children, supporters, etc. Lack of knowledge of the subject.”

“Ensuring accurate data records and finding out how much data we are dealing with.”

“Data retention scope and periods.”

“Data related to health of athletes.”

“How to organise information to be compliant.”

“Systematic approach across the Club regarding the collection and processing of data.”

“We are not a data controller, but rather a data processor, so we are acting in support of our clients who are DCs. Fortunately we are an enabler of GDPR although we are fine-tuning our systems and processes based on the specific reqs of GDPR. We are working on including contractual language encompassing GDPR, a Processor/Controller contract.”

“Understanding necessary technical controls”

“Mandating heightened internal standards”

“Having a good view on all information streams”

“The implications of information sharing agreements with other organisation and how this may increase the risk of sanctions under GDPR”

“Maintaining personal data with consent and using data in a day to day environment that is very reliant on volunteers.”

“Ensure consent requested for collection is adequate and documented and collection is transparent Ensure that data is not kept longer than necessary. Ensure that data is not kept in prohibited locations. Prepare processes and templates for replying to data subjects’ requests.”

“Culture change elements to ensure only relevant data is kept for the defined purpose and timeframes.”

“The identification of all the data processed by all the departments. The risk assessment and the creation of a incident response plan in order to be compliant with the GDPR.”

“Company-wide overhaul of approach to data - complete behavioural change - so as to understand all that we process/control.”

“Ensuring that all policies, especially the obtaining of consent, are compliant.”

“Mobilising and putting in correct systems.”

How To Help

“Sample consent form and privacy statement for amateur organisations.”

“Model privacy notice.”

“Monitoring and audit.”

“Data mapping.”

“Clear measurements of compliance.”

“Clear guidelines, education, probably automatic control of some functions in software.”

“Knowledge of how to collect sensitive data in a compliant manner.”

“Having an up to date and complete data register.”

“Inspection & report from the organisation.”

“Records management.”

“Templates for data audits.”

“Having a detailed data mapping process completed.”

“Understanding that personal data should no longer be sent via spreadsheet would be useful”

“Checklists, toolkits and how-to guides.”

“A clear step by step checklist of what needs to be done in order to ensure compliance.”

“Outsourcing of service.”

“Whether any of this matters to grassroots clubs at the data they "process" when little appears to be done currently when a large organisation loses control of data.”

References

Copyright notice

Th​is work was written for and first published ​on LawInSport.com (unless otherwise stated) and the copyright is owned by LawInSport​ Ltd​. Permission to make digital or hard copies of this work (or part, or abstracts, of it) for personal​ use​ provided copies are not made or distributed for profit or commercial advantage, and provided that all copies bear this notice and full citation on the first page (which should include the URL, company name (LawInSport), article title, author name, date of the publication and date of use) of any copies made. Copyright for components of this work ​owned by parties other than​ ​LawInSport must be honoured.